CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
25.0%
An exploitable improper access control vulnerability exists in the bluetooth low energy functionality of Winco Fireworks FireFly FW-1007 V2.0. An attacker can connect to the device to trigger this vulnerability.
Winco Fireworks FireFly FW-1007 V2.0
<https://shootfirefly.com/>
6.5 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-284: Improper Access Control
The Winco Fireworks FireFly is an automated fireworks launcher designed to be used remotely utilizing bluetooth low energy. The launcher is designed to be utilized to not only fire single fireworks safely, but to coordinate larger fireworks shows of up to 15 different fireworks that can be staged to music. The majority of this coordination occurs on the FireFly phone application.
The vulnerability is present within the firmware of the FireFly device itself. The device does not require or utilize any form of authentication of the device that is connecting with it. The device will accept any, single, bluetooth low energy connection at a time and execute commands received. By connecting to the device and sending the following command you can launch any fireworks bay without any type of authentication required.
0xAA 06 77 00 00 00 04 |bay number|
This vulnerability exposes a physical safety issue where the operator can not trust that the device is disconnected from all users while they are working on the fireworks. A unique bluetooth low energy PIN should be used to properly enforce a pre-shared key prior to exposing the FireFly to a potentially malicious environment.
Discovered by Carl Hurd of Cisco Talos.
2019-01-23 - Initial Contact
2019-01-24 - Vendor Disclosure; Vendor acknowledged reports
2019-02-19 - 1st follow up (near 30 day); no response
2019-03-28 - 2nd follow up (60 day); no response
2019-04-10 - Notice of 90 day mark approaching
2019-05-08 - Public Release
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
25.0%